Maps to
QMSR / ISO 13485: §820.90/820.198
ISO 13485: §8.5.2/8.5.3
Requirement text
The organization shall establish documented procedures for corrective action to eliminate the cause of nonconformities, and preventive action to eliminate causes of potential nonconformities. FDA-Plus: CAPA procedures must include analysis of quality data sources (complaints, audits, NCRs, service records) to identify existing and potential causes of nonconforming product. Effectiveness of CAPA must be verified and documented.
What changed
Under Part 820, CAPA was governed by 820.90 (nonconforming product) and 820.100 (corrective and preventive action) as a single, highly prescriptive regulation. The QMSR now points to ISO 13485 clauses 8.5.2 (corrective action) and 8.5.3 (preventive action) as two distinct clauses, each with its own procedural requirements. This structural separation forces organizations to demonstrate that they have independent, documented procedures for both corrective and preventive action rather than treating them as a single combined process.
ISO 13485 introduces a process-based, risk-informed approach to CAPA that Part 820 left largely implicit. Where Part 820 prescribed specific steps (investigate, identify cause, take action, verify effectiveness), ISO 13485 frames CAPA within the broader measurement-analysis-improvement cycle and explicitly requires that corrective and preventive actions be "appropriate to the effects of the nonconformities encountered" (8.5.2) or "appropriate to the effects of the potential problems" (8.5.3). This proportionality requirement means organizations must now demonstrate risk-based prioritization of CAPAs, not just that they completed the steps.
ISO 13485 also adds explicit requirements that Part 820 left implicit: the organization must determine and implement any changes needed to the QMS as a result of corrective or preventive action, and must verify that actions taken do not adversely affect the ability to meet applicable regulatory requirements or the safety and performance of the medical device. The FDA preamble to the QMSR final rule emphasized that CAPA remains one of the most critical subsystems and that the agency expects the same rigor under ISO 13485 as under the legacy QSR, noting that many of the ISO 13485 requirements are "substantially similar" but the process approach demands more systematic integration with complaint handling, audit findings, and management review.
The linkage requirements are also more explicit under ISO 13485. CAPA inputs must demonstrably draw from complaints (8.2.2), feedback (8.2.1), audit findings (8.2.4), nonconformances (8.3), and data analysis (8.4). Part 820.100 required analysis of "quality data" but did not enumerate these specific input channels with the same clarity. CAPA is consistently the number one area of FDA 483 observations, with common citations including failure to establish adequate CAPA procedures, failure to verify effectiveness, and failure to perform adequate root cause analysis.
Atomic constraints
- •Documented CAPA procedures must exist.
- •Root cause analysis must be performed for corrective actions.
- •Preventive actions must address potential nonconformities before they occur.
- •CAPA effectiveness must be verified and documented.
- •Quality data sources must be systematically analyzed to identify CAPA needs.
- •CAPAs must be escalated to management review when they indicate systemic issues.
Common gaps
No Separate Preventive Action Procedure
majorMany Part 820-era QMS libraries treat corrective and preventive action as a single combined procedure. ISO 13485 requires distinct documented procedures for corrective action (8.5.2) and preventive action (8.5.3), each with their own inputs, investigation methods, and records. Organizations that cannot demonstrate a standalone preventive action process will face audit findings.
Inadequate Effectiveness Verification
majorISO 13485 requires verification that corrective/preventive actions do not adversely affect device safety, performance, or regulatory compliance. Many organizations check only whether the specific nonconformity recurred, without verifying broader impact. This is also one of the most frequent FDA 483 observations for CAPA systems.
Failure to check 'adverse effects'
majorThe CAPA procedure doesn't require an evaluation of whether the fix itself introduced new hazards or regulatory non-compliance. ISO 13485 §8.5.2(e) requires this check.
Undue delay in closure
majorCAPAs remain open for 12+ months with no documented rationale for the delay. ISO 13485 §8.5.2 requires action 'without undue delay.'
Missing Risk-Based CAPA Prioritization
moderateISO 13485 requires that actions be "appropriate to the effects" of the nonconformities, which implies a risk-based prioritization scheme. Many legacy CAPA procedures treat all CAPAs with the same level of investigation rigor regardless of severity, leading to either over-investigation of minor issues or under-investigation of serious ones.
Evidence signals
- •
FILE_EXISTS
(CAPA|Corrective.*Action|Preventive.*Action|Root.*Cause)
- •
CONTENT_MATCH
Does this document describe CAPA procedures including root cause analysis, action plans, implementation tracking, and effectiveness verification?
Audit defense
Our CAPA system ([your document ID]) ensures that every corrective and preventive action for [your product] undergoes formal root cause analysis with verified effectiveness. Quality data from complaints, audits, and NCRs feeds CAPA initiation, with trends reported to management review.